Hackers are actively exploiting two critical vulnerabilities in the Houzez theme
The Houzez theme is a premium plugin that costs $69, offering easy listing management and a seamless customer experience. The provider’s website claims to serve over 35,000 customers in the real estate industry.
The Patchstack report warns that some sites have not implemented the security update, and hackers are actively exploiting these old flaws in ongoing attacks.
The vulnerability in the theme and plugin is now being exploited in the field and we have seen a large number of attacks from the IP address 103.167.93.138 .
The first flaw in Houzz is tracked as CVE-2023-26540 and has a severity rating of 9.8 out of 10.0 under the CVSS v3.1 standard, classifying it as a critical vulnerability.
This is a security misconfiguration that affects Houzez Theme plugin version 2.7.1 and above and can be exploited remotely without authentication to perform privilege escalation.
The version that fixes the problem is Houzez theme 2.7.2 and later.
The second flaw received the identifier CVE-2023-26009, and is also rated critical (CVSS v3.1: 9.8), and affects the Houzes Login Register plugin.
It affects versions 2.6.3 and higher, and allows unauthenticated attackers to escalate privileges on sites using the plugin.
The version that addresses the security threat is Houzez Login Register 2.6.4 and later.
In the attacks observed by Patchstack, hackers put up a backdoor capable of executing commands, injecting advertisements into the site or redirecting traffic to other malicious sites.